Thursday, July 9, 2009

ECIW 09 in Lisbon

I just got back from Lisbon and the 8th European Conference on Information Warfare and Security. This annual conference brings together 60-100 academics from across the world to present and discuss their research during the two-day event.

A paper that I wrote for the conference in the winter got published in the proceedings (see publications). The main idea of the paper is that there are three general ways to create an offensive capability in cyberspace:
  • establish a unit/agency for that mission ("conventional" own forces approach)
  • outsource the problem by hiring digital mercenaries, cyber criminals and the like
  • develop or hijack a volunteer force, or a cyber militia, to attack convenient targets with little or no attribution for the state.
In reality, a combination of two or three is potentially more powerful than any single approach.

While thinking about the last two approaches, I came to some interesting conclusions. First, if a government uses volunteers or mercenaries to conduct an "illegal", or at least unethical, campaign against its political enemies, then there will be a rise in (cyber) crime in the state. This happens because the government cannot alienate the "friendly" attackers by arresting them for non-political crimes (such as sending spam, stealing credit card information or DDoSing commercial sites for blackmail). This also explains why cyber criminals seem to flourish in some states that also seem to have an aggressive stance in cyberspace.

The second idea was that in case of volunteer forces, the government would have to "exercise" these forces once or twice a year, in order to keep them "on mission". A volunteer offensive cyber militia will likely disband for more interesting pursuits, if they are not called to arms for several years. This means that the state would have to provide a steady stream of external or internal "enemies" to keep the militia occupied.


  1. Some attacks could be hard/impossible to outsource - I doubt that commercial DDoS-ers would attack something like, the risk of damage to the botnet (meaning loss of income) is too high.

  2. Good point. However, hard does not mean impossible. In the end, it is a matter of price. If the reward is enticing enough, damaging or losing the botnet may not be an issue.

  3. I agree, if those high-profile attacks were outsourced to a black market ddos-er, the price must have been significantly higher than average

  4. Nowadays, I think, any terrorism is impossible without using cyberservices.

    Cyber-terrorism - Use of information technology by terrorist groups and individuals.